Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Win32/Rootkit.Agent.ODG


  • Please log in to reply

#1
baw3187

baw3187

    New Member

  • Member
  • Pip
  • 1 posts
cant seem to get rid of this guy thought maybe you guys could help!

this is what eset tells me 5/1/2009 3:48:41 PM Startup scanner operating memory Operating memory Win32/Rootkit.Agent.ODG trojan unable to clean BLAKE\Administrator

Rooter log = http://paste2.org/p/196000
OTList log = http://paste2.org/p/195998
Combofix log = http://paste2.org/p/196001

Edited by baw3187, 01 May 2009 - 02:59 PM.

  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,699 posts
  • MVP
Next time copy and paste your logs into a reply. I think that's why you got ignored so long.

You've got a rootkit.

Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

Killall:


RootKit::
c:\windows\system32\drivers\ovfsthxfbkatrww.sys
c:\windows\system32\ovfsthxcimcrenf.dat
c:\windows\system32\ovfsthxeaujlcqp.dll
c:\windows\system32\ovfsthxjbvscnvt.dll
c:\windows\system32\ovfsthxkdjdwfke.dll
c:\windows\system32\ovfsthxlomhfeff.dat
c:\windows\system32\ovfsthxmpfulnor.dll
c:\windows\system32\ovfsthxpegoievi.dll
c:\windows\system32\ovfsthxqrkdpdco.dll
c:\windows\system32\ovfsthxuxyyueqx.dat
c:\windows\system32\ovfsthxyyifgsgq.dat

File::
c:\windows\system32\drivers\ovfsthxfbkatrww.sys
c:\windows\system32\ovfsthxcimcrenf.dat
c:\windows\system32\ovfsthxeaujlcqp.dll
c:\windows\system32\ovfsthxjbvscnvt.dll
c:\windows\system32\ovfsthxkdjdwfke.dll
c:\windows\system32\ovfsthxlomhfeff.dat
c:\windows\system32\ovfsthxmpfulnor.dll
c:\windows\system32\ovfsthxpegoievi.dll
c:\windows\system32\ovfsthxqrkdpdco.dll
c:\windows\system32\ovfsthxuxyyueqx.dat
c:\windows\system32\ovfsthxyyifgsgq.dat
C:\Ntf21.tmp
C:\Ntf22.tmp
C:\Ntf20.tmp
C:\Ntf1F.tmp
C:\Ntf1D.tmp
C:\Ntf1E.tmp
C:\Ntf1B.tmp
C:\Ntf1C.tmp
C:\Ntf19.tmp
C:\Ntf1A.tmp
C:\Ntf17.tmp
C:\Ntf18.tmp
C:\Ntf15.tmp
C:\Ntf16.tmp
C:\Ntf13.tmp
C:\Ntf14.tmp
C:\Ntf11.tmp
C:\Ntf12.tmp
C:\NtfF.tmp
C:\Ntf10.tmp
C:\NtfD.tmp
C:\NtfE.tmp
C:\NtfB.tmp
C:\NtfC.tmp
C:\NtfA.tmp
C:\Ntf9.tmp
C:\Ntf8.tmp
C:\Ntf7.tmp
C:\Ntf4.tmp
C:\Ntf3.tmp
C:\Ntf2.tmp
C:\Ntf1.tmp
C:\Ntf6.tmp
C:\Ntf5.tmp


******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Drag it over to combofix and let it start as before.

Post the new log.

Ron
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP